Merge pull request #34 from gdgd009xcd/JOHANNES240325

gdgd009xcd · web-flow · commit 06a84b683fbb · 2024-03-29T20:42:53.000+09:00
## [v0.8.9] - 2024-03-28
diff --git a/addOns/customactivescan/CHANGELOG.md b/addOns/customactivescan/CHANGELOG.md
@@ -2,6 +2,11 @@
 All notable changes to this add-on will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+
+## [v0.8.9] - 2024-03-28
+### Changed
+- bugfix: Changed to correctly encode and decode the HttpRequest body based on Content-Encoding.
+
 ## [v0.8.8] - 2024-03-12
 ### Added
 - new feature: Supported URLEncoded(%XX) value within pattern for embeding binary data on the request. see [this](https://github.com/gdgd009xcd/CustomActiveScanForZAP/wiki/2.0.-CustomActiveScan-Main-Panel/#5-decode-urlencodedxx-value-check-box)
diff --git a/addOns/customactivescan/customactivescan.gradle.kts b/addOns/customactivescan/customactivescan.gradle.kts
@@ -1,7 +1,7 @@
 import org.zaproxy.gradle.addon.AddOnStatus
 
 
-version = "0.8.8"
+version = "0.8.9"
 description = "a Active Scanner with custmizable rules"
 
 val jar by tasks.getting(Jar::class) {
diff --git a/addOns/customactivescan/src/main/java/org/zaproxy/zap/extension/customactivescan/CustomSQLInjectionScanRule.java b/addOns/customactivescan/src/main/java/org/zaproxy/zap/extension/customactivescan/CustomSQLInjectionScanRule.java
@@ -1661,7 +1661,7 @@ private void setPatternToHttpMessage(
                     UUID uuid = UUIDGenerator.getUUID();
                     String embedDummy = "X___" + uuid.toString() + "~~~Y";
                     setParameter(msg2, paramName, embedDummy);
-                    byte[] bodyBytes = msg2.getRequestBody().getBytes();
+                    byte[] bodyBytes = msg2.getRequestBody().getContent();
                     String charsetName = msg2.getRequestBody().getCharset();
                     Charset charset = Charset.forName(charsetName);
                     LOGGER4J.debug("embed charset:" + charset);
@@ -1687,7 +1687,7 @@ private void setPatternToHttpMessage(
                             keyString.getBytes(StandardCharsets.UTF_8),
                             binBytes.getBytes());
                     byte[] outputBodyBytes = replaceByteSequence.action(0);
-                    httpMessage.setRequestBody(outputBodyBytes);
+                    httpMessage.getRequestBody().setContent(outputBodyBytes);
                 }
                 break;
             case NameValuePair.TYPE_GRAPHQL_INLINE:// inline arguments in GRAPH QL
@@ -1719,6 +1719,7 @@ private void setPatternToHttpMessage(
                     String charsetName = msg2.getRequestBody().getCharset();
                     Charset charset = Charset.forName(charsetName);
                     LOGGER4J.debug("embed charset:" + charset);
+
                     boolean isURLEncoded = false;
                     org.apache.commons.httpclient.URI uri = msg2.getRequestHeader().getURI();
                     try {
@@ -1785,7 +1786,7 @@ private void setPatternToHttpMessage(
                         if (isURLEncoded) {
                             setEscapedParameter(httpMessage, paramName, paramValueEncoded);
                         } else {
-                            byte[] bodyBytes = msg2.getRequestBody().getBytes();
+                            byte[] bodyBytes = msg2.getRequestBody().getContent();//this decode request body with using Content-Encoding method and return it.
                             ParmGenBinUtil replaceBytes = new ParmGenBinUtil(originalValue.getBytes(charset));
                             if (isConvertURLDecodedValue) {
                                 PartialURLDecodeISO8859_1ToBytes partialURLDecodeISO88591ToBytes =
@@ -1802,7 +1803,8 @@ private void setPatternToHttpMessage(
                                             embedDummy.getBytes(StandardCharsets.UTF_8),
                                             replaceBytes.getBytes());
                             byte[] outputBodyBytes = replaceByteSequence.action(0);
-                            httpMessage.setRequestBody(outputBodyBytes);
+
+                            httpMessage.getRequestBody().setContent(outputBodyBytes);// This encode specified binary with using the Content-Encoding method and set it to request body.
                         }
                     }
                 }
@@ -1832,7 +1834,7 @@ private void embedParamValueToRequestBodyAsBytes(
         UUID uuid = UUIDGenerator.getUUID();
         String embedDummy = "X___" + uuid.toString() + "~~~Y";
         setParameter(msg2, paramName, embedDummy);
-        byte[] bodyBytes = msg2.getRequestBody().getBytes();
+        byte[] bodyBytes = msg2.getRequestBody().getContent();
         String charsetName = msg2.getRequestBody().getCharset();
         Charset charset = Charset.forName(charsetName);
         LOGGER4J.debug("embed charset:" + charset);
@@ -1850,7 +1852,7 @@ private void embedParamValueToRequestBodyAsBytes(
                 embedDummy.getBytes(StandardCharsets.UTF_8),
                 binBuffer.getBytes());
         byte[] outputBodyBytes = replaceByteSequence.action(0);
-        httpMessage.setRequestBody(outputBodyBytes);
+        httpMessage.getRequestBody().setContent(outputBodyBytes);
     }
 
     private String getEscapedParamValueUTF8(String originalValue, String patternValue) {
diff --git a/addOns/customactivescan/src/main/java/org/zaproxy/zap/extension/customactivescan/HttpMessageWithLCSResponse.java b/addOns/customactivescan/src/main/java/org/zaproxy/zap/extension/customactivescan/HttpMessageWithLCSResponse.java
@@ -307,5 +307,26 @@ private String getWholeMessageString(HttpMessage httpMessage) {
         return originalMessageString;
     }
 
-
+    /**
+     * update request body with bodyBytes and update Content-Length with bodyBytes.length
+     * this method may not need because plugin's SendAndReceive method always update Content-Length by calling updateRequestContentLength.
+     *
+     * @param message
+     * @param bodyBytes
+     */
+    public static void updateRequestContent(HttpMessage message, byte[] bodyBytes) {
+        message.getRequestBody().setContent(bodyBytes);
+        int bodyLength = message.getRequestBody().length();
+        String method = message.getRequestHeader().getMethod();
+        if (bodyLength == 0
+                && (HttpRequestHeader.GET.equalsIgnoreCase(method)
+                || HttpRequestHeader.CONNECT.equalsIgnoreCase(method)
+                || HttpRequestHeader.DELETE.equalsIgnoreCase(method)
+                || HttpRequestHeader.HEAD.equalsIgnoreCase(method)
+                || HttpRequestHeader.TRACE.equalsIgnoreCase(method))) {
+            message.getRequestHeader().setHeader(HttpHeader.CONTENT_LENGTH, null);
+            return;
+        }
+        message.getRequestHeader().setContentLength(bodyLength);
+    }
 }
diff --git a/addOns/customactivescan/src/main/javahelp/help/contents/help.html b/addOns/customactivescan/src/main/javahelp/help/contents/help.html
@@ -14,7 +14,7 @@ <H2>About</H2>
 
 <H2>Description</H2>
 <UL>
-    <B>These below links go to the page under  https://github.com/gdgd009xcd/AutoMacroBuilderForZAP/wiki/</B><P></P>
+    <B>These below links go to the page under https://github.com/gdgd009xcd/CustomActiveScanForZAP</B><P></P>
 <LI><A HREF="https://github.com/gdgd009xcd/CustomActiveScanForZAP#customactivescanforzap">Overview</A>
 <LI><A HREF="https://github.com/gdgd009xcd/CustomActiveScanForZAP/wiki/1.0.-Basic-Usage">Basic Usage</A>
 </UL>
